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Chairman Burr, Vice Chairman Warner, and other members of this Committee: 

I am pleased the Committee has convened this hearing on the important topic of 
election cybersecurity. 

In 2016 the Russian government, at the direction of Vladimir Putin himself, 
orchestrated cyberattacks on our Nation for the purpose of influencing the election that 
year - plain and simple. The experience should be a wake-up call for our Nation, as it 
highlighted cyber vulnerabilities in our political process, and in our election infrastructure 
itself. Now, with the experience fresh in our minds and clear in our rear-view mirror, the 
key question for our leaders at the national and state level is this: what are we doing 
about it? The matter is all the more urgent given the public testimony of our Nation’s 
intelligence chiefs last month, before this very Committee, that the Russians effort 
continues into the ongoing 2018 midterm election season. 

From December 23, 2013 to January 20, 2017 I served as Secretary of Homeland 
Security. During that time, I had the privilege of working with Congress to provide 
additional authorities to the Department of Homeland Security (“DHS”) to defend the 
Nation’s and the federal government’s cybersecurity, through the Cybersecurity Act of 
2015, 1 the National Cybersecurity Protection Advancement Act, 2 the Federal Information 
Security Modernization Act of 2014, 3 and other new laws. 4 

But, there is more to do. 

Cyberattacks of all manner and from multiple sources are going to get worse 
before they get better. In this realm and at this moment, those on offense have the upper 
hand. Whether it’s cyber-criminals, hacktivists, or nation-state actors, those on offense 
are ingenious, tenacious, agile, and getting better all the time. Those on defense struggle 
to keep up. As in other matters of homeland security, we must mobilize our Nation in 
support of stronger cyber defenses. 

The views I express here are my own, based upon my personal experiences in 
national security and, now, as a concerned private citizen. The factual testimony I offer 
here is based on my best recollection of events months past, without the opportunity to 
review internal government documents or classified material. 


1 Pub. L. No. 114-113, 129 Stat. 2935 (2015). 

2 Pub. L. No. 113-282, 128 Stat. 3066 (2014). 

3 Pub. L. No. 113-283, 128 Stat. 3073 (2014). 

4 See also the Border Patrol Agent Pay Reform Act of 2014, Pub. L. No. 113-277, 128 Stat. 2995 (including 
additional authorities for cybersecurity recruitment and retention). 
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Sometime in 2016 I became aware of a hack into systems of the Democratic 
National Committee. As 2016 progressed, my concerns about the potential of a 
cyberattack around our national election grew. At DHS, we developed a plan to engage 
state election officials to offer them our cybersecurity assistance. 

My staff also suggested to me that I could, under my existing authorities, declare 
election infrastructure to be “critical infrastructure” in this country. There are 16 
infrastructure sectors - e.g., financial services, dams, transportation, government 
facilities, the defense industrial base - that are already considered critical infrastructure. 
By adding election infrastructure to that list, it would principally mean two things for 
cybersecurity purposes: (1) election officials, upon request, would be a top priority for 
the receipt of DHS’s services, and (2) as part of critical infrastructure, election 
infrastructure would receive the benefit of various domestic and international 
cybersecurity protections. 

On August 3, 2016, in an on-the-record session with reporters, I publicly floated 
the idea of designating election infrastructure in this country as critical infrastructure. 

Twelve days later, on August 15, I convened a conference call with secretaries of 
state and other chief election officials of every state in the country. I told state officials 
that we must ensure the security and resilience of election infrastructure, and offered 
DHS’s assistance to the states in doing that. I also reiterated the idea of designating 
election infrastructure as critical infrastructure. 

To my disappointment, the reaction to a critical infrastructure designation, at least 
from those who spoke up, ranged from neutral to negative. Those who expressed 
negative views stated that running elections in this country was the sovereign and 
exclusive responsibility of the states, and they did not want federal intrusion, a federal 
takeover, or federal regulation of that process. This was a profound misunderstanding of 
what a critical infrastructure designation would mean, which I tried to clarify for them. 

But, based on what I heard on the call, my team and I decided that a critical 
infrastructure designation at that time, during the election season, would be 
counterproductive. I remained convinced it was a good idea, but we put the idea on the 
back burner. Instead, and more importantly in the time left before the election, we 
encouraged the states to seek our cybersecurity help. Prior to the election, encouraging 
the horses to come to the water had to be the primary objective. 

At around the same time we were engaging state election officials, my staff and I 
began to see and hear very troubling reports of scanning and probing activities around 
various state voter registration databases. This was obviously a matter of great concern. 
In the latter half of August, the FBI issued an alert to the states about these activities, 
which included the IP addresses of those associated with the attempted hacks. 

Both publicly and privately, my staff and I repeatedly encouraged state and local 
election officials to seek our cybersecurity assistance. 
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On September 16,1 issued one of a number of public statements encouraging state 
election officials to strengthen their cybersecurity, and describing the range of services 
DHS could provide. In that statement I also said the following: 

“7/7 recent months we have seen suspicious cyber intrusions involving 
political institutions and personal communications. We have also seen 
some efforts at cyber intrusion of voter registration data maintained in 
state election systems. We have confidence in the overall integrity of our 
electoral systems. It is diverse, subject to local control, and has many 
checks and balancefs] built in. Nevertheless, we must face the reality that 
cyber intrusions and attacks in this country are increasingly sophisticated, 
from a range of increasingly capable actors that include nation-states, 
cyber hacktivists, and criminals. In this environment, we must be 
vigilant." 5 

In September, President Obama personally asked congressional leaders to issue a 
bipartisan call to state election officials to seek DHS’s cybersecurity assistance. Speaker 
Ryan, Leader Pelosi, and Senators McConnell and Reid did so, in a joint letter dated 
September 28. 6 7 

On October 1, I issued a public statement thanking the congressional leaders for 
their letter, and once again encouraged the states to seek our assistance. Here again I 
warned of the threat we were seeing to state voter election data: 

“7/7 recent months, malicious cyber actors have been scanning a large 
number of state systems, which could be a preamble to attempted 
intrusions. In a few cases, we have determined that malicious actors 
gained access to state voting-related systems. However, we are not aware 
at this time of any manipulation of data. We must remain vigilant and 
continue to address these challenges head on." 1 

Meanwhile, in the August-September timeframe, our intelligence community 
became increasingly convinced that the Russian government was behind the hacks of the 
DNC and other political institutions and figures. 

I and others also became personally convinced that we needed to inform the 
American public, prior to the election, of what we knew the Russian government was 
doing. In the midst of the politically-charged election season, with accusations by one of 
the candidates that the election was going to be “rigged,” attribution was going to be a 
big and unprecedented step, and required careful consideration. However, we recognized 


5 See https://www.dhs.gov/news/2016/09/16/statement-secretary-jolinson-concerning-cybersecurity- 
nation%E2%80%99s-election-systems. 

6 See https://www.nased.org/Four_Leaders_on_Cybersecurity_and_Elections_9-28-16.pdf. 

7 See https://www.dhs.gov/news/2016/10/01/statement-secretary-johnson-about-election-systems- 
cybersecurity. 
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we had an overriding responsibility to inform the public that a powerful foreign state 
actor had covertly intervened in our democracy. 

Therefore, on October 7, Director Clapper and I issued the statement formally and 
publicly accusing the Russian government of directing cyber “thefts and disclosures 
[that] are intended to interfere with the US election process.” 8 In this statement, we also 
warned again that “[s]ome states have also recently seen scanning and probing of their 
election-related systems, which in most cases originated from servers operated by a 
Russian company” (we were not then in a position to attribute this activity to the Russian 
government) and once again encouraged state election officials to seek DHS’s assistance. 

Three days later, on October 10, I issued another public statement encouraging 
states and other jurisdictions to seek our assistance in the 29 days before the election. 9 

By election day on November 8, a large number of state and local election 
officials did in fact respond to our offers of cybersecurity assistance. More specifically, 
almost every state contacted DHS about its services, and 33 states and 36 cities and 
counties used DHS tools to scan for potential vulnerabilities and/or sought mitigation 
advice from us. Overall, DHS proactively provided election-related mitigation advice 
and cyber threat indicators/information for network defense to likely hundreds, if not 
thousands, of state and local officials. 

On election day, DHS assembled a crisis-response team to rapidly address any 
reported cyber intrusions into the election process. 

To my current knowledge, the Russian government did not, through any cyber 
intrusion, alter ballots, ballot counts or reporting of election results. I am not in a 
position to know whether the successful Russian government-directed hacks of the DNC 
and elsewhere did in fact alter public opinion and thereby alter the outcome of the 
presidential election. 

Following the election, and at the direction of President Obama, on December 29 
the U.S. government took a number of steps in response to the Russian government’s 
efforts to interfere with our election. These included (i) sanctions against various Russian 
intelligence services and officers and three companies, (ii) the expulsion from our 
country of 35 Russian government officials, and (iii) a joint report by DHS and the FBI 
providing details about the tools and infrastructure used by the Russian government to 
compromise networks associated with the election. 

On January 6, 2017, and also at the direction of President Obama, the intelligence 
community released an unclassified public report, “Assessing Russian Activities and 


8 See https://www.dhs.gOv/news/2016/10/07/joint-statement-department-homeland-security-and-office- 
director-national. 

9 See https://www.dhs.gov/news/2016/10/10/update-secretary-johnson-dhs-election-cybersecurity-services. 
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Intentions in Recent US Elections,” to better educate the public about what had 
happened. 10 

Following the election, I returned to the issue of the designation of election 
infrastructure as critical infrastructure. Throughout the fall, my staff had continued the 
dialogue with state election officials about the designation. Following the election, my 
staff reported to me that state officials’ stated views of the designation had not changed, 
and continued to be neutral to negative. On January 5, I had one more conference call 
with state election officials to be sure I understood their reservations. Notwithstanding 
what I heard, I had become convinced that designating election infrastructure as critical 
infrastructure was something we needed to do. The next day, on January 6, I issued a 
public statement announcing my determination that election infrastructure in this country 
should be designated as a subsector of the existing “Government Facilities” critical 
infrastructure sector. * 11 

I am pleased that in 2017 then-Secretary Kelly reaffirmed that designation. 

The 2018 midterm elections are now upon us. The first primaries in the 2020 
presidential election are less than two years away. I am pleased that state election 
officials, to various degrees, now seem to be taking serious steps to fortify the 
cybersecurity of their election infrastructure, and that the Department of Homeland 
Security is currently taking serious steps to work with state and local election officials to 
strengthen their cybersecurity. 

As a Nation, we must resolve to strengthen our cybersecurity generally, and the 
cybersecurity around election infrastructure specifically. Nothing less than the health and 
strength of our democracy depends on this. 

I am prepared to discuss further my own views on this topic, and I look forward to 
your questions. 


10 See https://www.dni.gov/files/documents/ICA_2017_01.pdf 

11 See https://www.dhs.gOv/news/2017/01/06/statement-secretary-johnson-designation-election- 
infrastructure-critical. 
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